Re: [Netconf] Yangdoctors last call review of draft-ietf-netconf-restconf-notif-11

Robert Wilton <rwilton@cisco.com> Thu, 10 January 2019 10:18 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFA0E130DC8; Thu, 10 Jan 2019 02:18:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.641
X-Spam-Level:
X-Spam-Status: No, score=-14.641 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BHDQQqwS74N3; Thu, 10 Jan 2019 02:18:23 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8669F128CF3; Thu, 10 Jan 2019 02:18:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17672; q=dns/txt; s=iport; t=1547115503; x=1548325103; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=4jeUwkoeVkA3OWQE9BQQsyKZqBvJJwzCFQpA4gdG2t0=; b=VbV9W0Tiqc/BywwVCOTmmZ0ajoMRbR30x4mR9sVX4GPTAw5JOBNs2HZh Dl2rb366dSClJ+oMFYoSV11GVMqS3J5nvpjE5vlS5bfHMJgeY1LJsUFcu QPBcQ3Nf4Kj8cOM1nM2znoVY5ubIQW/GxGduarCmqViE3P7wRLGv6FWTT Y=;
X-IronPort-AV: E=Sophos;i="5.56,460,1539648000"; d="scan'208,217";a="9355275"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jan 2019 10:18:20 +0000
Received: from [10.63.23.64] (dhcp-ensft1-uk-vla370-10-63-23-64.cisco.com [10.63.23.64]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTP id x0AAIK9K001074; Thu, 10 Jan 2019 10:18:20 GMT
To: "Reshad Rahman (rrahman)" <rrahman@cisco.com>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>
Cc: "netconf@ietf.org" <netconf@ietf.org>, "draft-ietf-netconf-restconf-notif.all@ietf.org" <draft-ietf-netconf-restconf-notif.all@ietf.org>
References: <154688301471.23184.11003837983933531435@ietfa.amsl.com> <D7FCDD18-260A-40E6-8EF1-0485083FE21B@cisco.com>
From: Robert Wilton <rwilton@cisco.com>
Message-ID: <dfd6dda9-e67f-1969-e43a-edfd92ef37d5@cisco.com>
Date: Thu, 10 Jan 2019 10:18:20 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <D7FCDD18-260A-40E6-8EF1-0485083FE21B@cisco.com>
Content-Type: multipart/alternative; boundary="------------81056748BCAF61D7062AFBEC"
Content-Language: en-US
X-Outbound-SMTP-Client: 10.63.23.64, dhcp-ensft1-uk-vla370-10-63-23-64.cisco.com
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/gZNna3X7jlwM0tOs6vds2dlaQMY>
Subject: Re: [Netconf] Yangdoctors last call review of draft-ietf-netconf-restconf-notif-11
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 10:18:26 -0000

Hi Reshad,

Please see inline ...

On 08/01/2019 23:18, Reshad Rahman (rrahman) wrote:
> Hi Rob,
>
> Thanks again for the review, inline.
>
> On 2019-01-07, 12:43 PM, "Robert Wilton" <rwilton@cisco.com>; wrote:
>
>      Reviewer: Robert Wilton
>      Review result: Ready with Issues
>      
>      I have reviewed this document as part of the YANG doctors directorate's
>      ongoing effort to review all IETF documents being processed by the IESG.  These
>      comments were written with the intent of improving the operational aspects of
>      the IETF drafts. Comments that are not addressed in last call may be included
>      in AD reviews during the IESG review.  Document editors and WG chairs should
>      treat these comments just like any other last call comments.
>      
>      This document and the associated YANG module looks like it is in good shape to
>      me.
>      
>      The two minor issues that I had that I think need to be resolved are:
>      - The section 3.4 handling subscriptions by admin users wasn't intuitive to me
>      (relative to what is stated in draft-ietf-netconf-subscribed-notifications).
>      Specifically what should an admin user be allowed to do vs the client that
>      initiated the subscription. - Section 4 on HTTP2 QoS seemed unclear to me.
> <RR> See below for response on the issues above.
>      
>      I think that all my other comments are really just nits:
>      
>      1) Section 3.2 Discovery, last paragraph.
>      
>      Would it be better for this to reference draft-ietf-netconf-nmda-restconf,
>      section 2 and '/yang-libary/datastore' draft-ietf-netconf-rfc7895bis, section 3?
> <RR> I can add section 2 in the reference to nmda-restconf. I don't think the transport drafts need to reference 7895/bis, please note that YP already references 7895.

OK, sounds reasonable.

Off topic for this thread, but 7895bis should be published soon, and it 
obsoletes 7895, so should YP be updated to reference 7895bis?


>      
>      2) RPC table in section 3.3.  The identity for "kill-subscription" should
>      probably be "delete-subscription-error" since "kill-subscription-error" isn't
>      defined.
> <RR> Good catch.
>      
>      3) Diagram in 3.4.  It wasn't immediately obvious to me that the vertical lines
>      in the lined up with connections (a) and (b).  I'm not sure whether it is worth
>      adding a comment to make this more explicit.  I figured it out whilst reading
>      the text below, perhaps most other readers would also do so.
> <RR> I'll try to make it clearer.
>      
>      4) Section 3.4, bottom of page 7, "must be sent within (b)" -> "MUST be sent
>      within (b)"
> <RR> Yes.
>      
>      5) Section 3.4:
>         o  RPCs modify-subscription, resync-subscription and delete-
>            subscription can only be done by the same RESTCONF username
>            [RFC8040] who did the establish-subscription, or by a RESTCONF
>            username with the required administrative permissions.  The latter
>            also has access to the kill-subscription RPC.
>      
>      Just to check, is it true that any RESTCONF username with the required
>      permissions is allowed to invoke the "delete-subscription" RPC?  Or should this
>      be restricted to same RESTCONF username?  In fact, I was wondering whether an
>      administrator should be allowed to invoke modify-subscription or
>      resync-subscription, or whether they should be restricted to kill-subscription
>      only?
> <RR> I do not see the benefit of restricting what an admin user can do. E.g. the admin may want to decrease the frequency of a periodic subscription.

I had a couple of concerns:
  1) Trying to align the RESTCONF handling of these RPCs to the 
behaviour specified in draft-ietf-netconf-subscribed-notifications and 
draft-ietf-netconf-netconf-event-notifications.
2) If NACM is used as the access control mechanism, then any client that 
has access to the <*-subscription> RPCs is allowed to invoke them for 
any subscription, unless additional checking is performed.  However, I 
appreciate that this extra checking could be more difficult/expensive to 
implement on some platforms.

Considering both of these, would the following rewording of the 
paragraph be better?

OLD:

        o  RPCs modify-subscription, resync-subscription and delete-
           subscription can only be done by the same RESTCONF username
           [RFC8040] who did the establish-subscription, or by a RESTCONF
           username with the required administrative permissions.  The latter
           also has access to the kill-subscription RPC.

NEW:

o In addition to any required access permissions (e.g., NACM), RPCs 
modify-subscription, resync-subscription and delete-subscription SHOULD 
only be allowed by the same RESTCONF  username [RFC8040] who invoked 
establish-subscription. o The kill-subscription RPC can be invoked by 
any RESTCONF username with the required administrative permissions.



>   
>      
>      6) Section 4 is unclear to me:
>      
>       - The paragraph starting "take any existing subscription "priority" ..."
>       states that the "dscp" field is copied into the HTTP2 stream priority, but I
>       couldn't find such a field in section 5.3 of RFC7540.  Hence, I was wondering
>       whether this paragraph shouldn't instead be stating the the "weighting" field
>       is copied into the HTTP2 stream priority header?
>      
>      E.g.
>      OLD:
>         o  take any existing subscription "priority", as specified by the
>            "dscp" leaf node in
>            [I-D.draft-ietf-netconf-subscribed-notifications], and copy it
>            into the HTTP2 stream priority, [RFC7540] section 5.3, and
>      
>      NEW:
>         o  take any existing subscription "priority", as specified by the
>            "weighting" leaf node in
>            [I-D.draft-ietf-netconf-subscribed-notifications], and copy it
>            into the HTTP2 stream weight, [RFC7540] section 5.3, and
>   <RR> Good catch.
>     
>      There is also no mention of how the "E" (Exclusive) bit should be set in the
>      HTTP2 stream headers.  Is this an omission?
> <RR> It is an omission, implied that it's not used. I can add text stating that it's set to 0.

OK.


>      
>      7) Section 6 doesn't contain any YANG Tree output.  Probably time to put that
>      in, but I would suggest not putting in the entire tree output, just the
>      relevant snippets.  If you want to include the full tree output then I would
>      suggest putting in an appendix instead.  The text in this section describing
>      the YANG model needs to be fixed since the YANG module doesn't actually define
>      any identities.
> <RR> I believe the YANG module was changed but not the text. Will fix and add the tree diagram.
>      
>      8) Section 7, YANG module comments
>      
>      Just nits:
>      
>      8.1) Check line length of the file, it looks like it goes over 69 characters.
>       - In particular, the namespace statement might need to be split.
>       - The module description text indentation looks off on the first line, and
>       probably needs to be re-flowed. - Some of the other descriptions look wide.
>      
>      8.2) The description for "subscription-modified" doesn't quite scan (as it goes
>      over the line break).
>      
>      9) One of the filter examples appendix A.3 is clearly over 72 characters,
>      suggest spliting.
> <RR> Ack.
>
> Regards,
> Reshad.
Thanks,
Rob


>      
>      Thanks,
>      Rob
>      
>      
>